Conditions define the requirements for a policy to take effect. You can configure condition keys in key policies, secret policies, and custom policies of Resource Access Management (RAM) to manage access to Key Management Service (KMS). This topic describes common condition keys of Alibaba Cloud and the condition keys supported by KMS.
In the following examples, the Principal field is required for key and secret policies. If you use custom policies of RAM, you can leave the field empty.
Common condition keys of Alibaba Cloud
acs:SourceIp
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
acs:SourceIp | Allows you to manage permissions on API operations based on the source IP addresses in requests. | String | All KMS operations. For more information, see API overview. | IP addresses. Examples:
|
|
Sample RAM policy
In the following example, only the IP address within the 116.62.XX.XX/24
range can be used to generate a data key.
{
"Statement": [
{
"Action": "kms:GenerateDataKey",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": "116.62.XX.XX/24"
}
}
}
],
"Version": "1"
}
Sample key or secret policy
In the following example, only the RAM user ramuser1 can use an IP address within the 203.0.XX.XX range to initiate a request.
{
"Version":"1",
"Statement":[
{
"Sid":"kms policy",
"Effect":"Allow",
"Action":"kms:*",
"Principal":{
"RAM":[
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource":"*",
"Condition":{
"IpAddress":{
"acs:SourceIp":[
"203.0.XX.XX"
]
}
}
}
]
}
acs:SourceVpc
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
acs:SourceVpc | Allows you to manage permissions on API operations based on the virtual private clouds (VPCs) in which clients reside. This condition key is valid only if a request is initiated from a VPC. | String | All KMS operations. For more information, see API overview. | IDs of VPCs. Example: vpc-bp1717bgs34gj****. |
|
Limits:
All Action elements in the
Statement
field of a policy must start withkms:
. For example, valid Action elements can be"Action":"kms:*"
and"Action":"kms:GenerateDataKey"
."Action":"*"
and"Action":"k*"
are invalid.This condition key is supported only in specific regions.
In the following example of a key or secret policy, only the RAM user ramuser1 can initiate a request from the VPC vpc-bp1l8j1t3l3j5****.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:SourceVpc": [
"vpc-bp1l8j1t3l3j5****"
]
}
}
}
]
}
acs:VpcSourceIp
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
acs:VpcSourceIp | Allows you to manage permissions on API operations based on the source IP addresses in requests. This condition key is valid only if a request is initiated from a VPC. | String | All KMS operations. For more information, see API overview. | IP addresses from VPCs. Examples:
|
|
Limit: This condition key is supported only in specific regions.
Sample RAM policy
Only an IP address within the 172.168.XX.XX/24
range from the VPC vpc-bp1717bghfnkqg5wn****
can be used to initiate a request.
{
"Statement": [
{
"Action": "kms:GenerateDataKey",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:SourceVpc": "vpc-bp1717bghfnkqg5wn****"
},
"IpAddress": {
"acs:VpcSourceIp": "172.168.**.**/24"
}
}
}
],
"Version": "1"
}
Sample key or secret policy
Only the RAM user ramuser1 can use an IP address within the VPC range 192.168.XX.XX to initiate a request.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:VpcSourceIp": [
"192.168.XX.XX"
]
}
}
}
]
}
acs:SecureTransport
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
acs:SecureTransport | Allows you to manage permissions on API operations based on HTTPS. | Boolean | All KMS operations. For more information, see API overview. |
|
|
Sample RAM policy
In the following example, if HTTPS is used, users can perform any operations on all KMS resources.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "kms:*",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
]
}
Sample key or secret policy
Only the RAM user ramuser1 can initiate a request over HTTPS.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
]
}
acs:CurrentTime
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
acs:CurrentTime | Allows you to manage permissions on API operations based on the time when a server receives a request. | Date and time | All KMS operations. For more information, see API overview. | The value is displayed in UTC and in the ISO 8601 standard. Example: |
|
In the following example of a key or secret policy, only the RAM user ramuser1 can initiate a request before 2099-12-31T12:00:00Z.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"DateLessThan": {
"acs:CurrentTime": "2099-12-31T12:00:00Z"
}
}
}
]
}
acs:MFAPresent
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
acs:MFAPresent | Allows you to manage permissions on API operations based on whether multi-factor authentication (MFA) is enabled for console logon. | Boolean | All KMS operations. For more information, see API overview. |
|
|
In the following example of a key or secret policy, only the RAM user ramuser1 for whom MFA is enabled can initiate a request.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": [
"true"
]
}
}
}
]
}
Key-related condition keys
kms:tag
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:tag | Allows you to manage permissions on API operations based on key tags. | String |
| Custom key tag |
|
kms:EncryptionAlgorithm
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:EncryptionAlgorithm | Allows you to manage permissions on cryptographic operations based on encryption algorithms in requests. | String |
| Encryption algorithm, such as SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_256, and ECIES_DH_SHA_1_XOR_HMAC. For more information about the encryption algorithms supported by KMS, see Key types and specifications. |
|
In the following example, only a RAM user named key_ramuser1
can perform encryption, decryption, or re-encryption operations by using the RSAES_OAEP_SHA_256 algorithm. Only specified encryption algorithms can be used. This helps prevent the use of non-compliant or insecure encryption algorithms and ensure the secure and compliant use of encryption keys.
{
"Sid": "Allow only one encryption algorithm with this asymmetric KMS key",
"Effect": "Deny",
"Principal": {
"RAM": [
"acs:ram::119285303511****:user/key_ramuser1"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"kms:EncryptionAlgorithm": "SYMMETRIC_DEFAULT"
}
}
}
kms:EncryptionContext:${EncryptionContextKey}
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:EncryptionContext:${EncryptionContextKey} | Allows you to manage permissions on symmetric keys in KMS based on encryption context in encryption operations. You can configure permissions based on key-value pairs in encryption context. | String |
| Custom encryption context |
|
In the following example, all RAM users of the 119285303511****
Alibaba Cloud account can generate a data key (kms:GenerateDataKey)
when the value of the Project
key in encryption context (kms:EncryptionContext
) is ProjectA
.
{
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::119285303511****:*"
]
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:Project": "ProjectA"
}
}
}
kms:EncryptionContextKeys
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:EncryptionContextKeys | Allows you to manage permissions on symmetric keys in KMS based on encryption context in encryption operations. You can configure permissions based on keys in encryption context. | String array |
| Keys in key-value pairs that are included in EncryptionContext | Key policies |
In the following example, all RAM users of the 119285303511****
Alibaba Cloud account can generate a data key (kms:GenerateDataKey
) when the Project
key is included in encryption context (EncryptionContext).
{
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::119285303511****:*"
]
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContextKeys": "Project"
}
}
}
kms:ExpirationModel
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:ExpirationModel | Allows you to manage permissions on the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in requests. | String | ImportKeyMaterial |
|
|
In the following example, all RAM users of the 119285303511****
Alibaba Cloud account can import key material (kms:ImportKeyMaterial
) only when the value of kms:ExpirationModel is KEY_MATERIAL_DOES_NOT_EXPIRE
.
{
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::119285303511****:*"
]
},
"Action": "kms:ImportKeyMaterial",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ExpirationModel": "KEY_MATERIAL_DOES_NOT_EXPIRE"
}
}
}
kms:ValidTo
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:ValidTo | Allows you to manage permissions on the ImportKeyMaterial operation based on the value of the ValidTo parameter in requests. You can use the condition key to allow users to import key material only before a specific date. | Date | ImportKeyMaterial | UNIX timestamp |
|
In the following example, all RAM users of the 119285303511****
Alibaba Cloud account can import key material only before June 20, 2024.
{
"Effect": "Allow",
"Principal": {
"RAM":[
"acs:ram::119285303511****:*"
]
},
"Action": "kms:ImportKeyMaterial",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:ValidTo": "1718841600"
}
}
}
kms:KeyOrigin
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:KeyOrigin | Allows you to manage permissions on API operations based on the Origin attribute of keys. You can use the condition key to manage permissions on the CreateKey operation or on key-related operations. | String | All key-related operations. For more information, see API overview. |
|
|
kms:KeySpec
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:KeySpec | Allows you to manage permissions on API operations based on the KeySpec attribute of keys. | String | All key-related operations. For more information, see API overview. | Key specifications. Examples: Aliyun_AES_256 and RSA_2048. For more information about the encryption algorithms supported by KMS, see Key types and specifications. |
|
In the following example, all RAM users and RAM roles of the 119285303511****
Alibaba Cloud account can create only RSA keys (kms:CreateKey
).
{
"Effect": "Allow",
"Action": "kms:CreateKey",
"Principal": {
"RAM": [
"acs:ram::119285303511****:*"
]
},
"Resource": "*",
"Condition": {
"StringLike": {
"kms:KeySpec": "RSA_*"
}
}
}
kms:KeyUsage
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:KeyUsage | Allows you to manage permissions on API operations based on the KeyUsage attribute of keys. | String | All key-related operations. For more information, see API overview. |
|
|
In the following example, only keys whose purpose is ENCRYPT_DECRYPT
can be created (kms:CreateKey
).
{
"Effect": "Allow",
"Action": "kms:CreateKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KeyUsage": "ENCRYPT_DECRYPT"
}
}
}
kms:ScheduleKeyDeletionPendingWindowInDays
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:ScheduleKeyDeletionPendingWindowInDays | Allows you to manage permissions on the ScheduleKeyDeletion operation based on the value of the PendingWindowInDays parameter in requests. | Numeric value | ScheduleKeyDeletion | Scheduled deletion period of a key. Unit: days. |
|
In the following example, if the scheduled deletion period for a key is less than or equal to 21 days, all users and roles cannot schedule a deletion task of the key (kms:ScheduleKeyDeletion
).
{
"Effect": "Deny",
"Action": "kms:ScheduleKeyDeletion",
"Principal": "*",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:ScheduleKeyDeletionPendingWindowInDays": "21"
}
}
}
kms:SigningAlgorithm
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:SigningAlgorithm | Allows you to manage permissions on the Sign and Verify operations based on signing algorithms in requests. | String |
| Signing algorithm. Examples: RSA_PSS_SHA_256 and ECDSA_SHA_256. For more information about the supported signing algorithms, see Key types and specifications. |
|
kms:WrappingAlgorithm
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:WrappingAlgorithm | Allows you to manage permissions on the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in requests. | String | GetParametersForImport | Wrapping algorithm. For more information about the wrapping algorithms supported by KMS, see Import key material into a symmetric key and Import key material into an asymmetric key. |
|
kms:WrappingKeySpec
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:WrappingKeySpec | Allows you to manage permissions on the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in requests. | String | GetParametersForImport | Type of a wrapping public key. For more information about the types of wrapping public keys supported by KMS, see Import key material into a symmetric key and Import key material into an asymmetric key. |
|
Secret-related condition keys
kms:tag
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:tag | Allows you to manage permissions on API operations based on secret tags. | String |
| Custom secret tag |
|
kms:SecretName
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:SecretName | Allows you to manage permissions on API operations based on the value of the Secretname parameter. | String | All secret-related operations. For more information, see API overview. | Custom secret name |
|
kms:EncryptionKeyId
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:EncryptionKeyId | Allows you to manage permissions on API operations based on the IDs of encryption keys in secret access requests. | String |
| Key ID |
|
kms:SecretVersionId
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:SecretVersionId | Allows you to manage permissions on API operations based on the unique secret version IDs in requests. | String |
| Secret version ID |
|
kms:SecretVersionStage
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:SecretVersionStage | Allows you to manage permissions on API operations based on the secret version status in requests. | String |
|
|
|
kms:SecretType
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:SecretType | Allows you to manage permissions on API operations based on the secret types in requests. | String | All secret-related operations. For more information, see API overview. |
|
|
kms:ForceDeleteWithoutRecovery
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:ForceDeleteWithoutRecovery | Specifies whether to forcefully delete the secret. A forcefully deleted secret cannot be recovered. | Boolean | DeleteSecret |
|
|
kms:RecoveryWindowInDays
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:RecoveryWindowInDays | Specifies the recovery period of a secret if you do not forcibly delete the secret. Unit: days. | Numeric value | DeleteSecret | Number of days |
|
In the following example, if the recovery period of a secret is less than or equal to 10 days, all users and roles cannot delete the secret (kms:DeleteSecret
).
{
"Statement": [
{
"Effect": "Deny",
"Action": "kms:DeleteSecret",
"Principal": "*",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:RecoveryWindowInDays": "10"
}
}
}
]
}
Other condition keys supported by KMS
kms:TlsVersion
Condition key | Description | Conditional operator category | API operation | Valid value | Policy type |
kms:TlsVersion | Allows you to manage permissions on API operations based on TLS versions in requests. | String | All authentication-related operations. Note Operations that do not involve authentication include DescribeRegions. | 1.2 |
|
In the following example, if the TLS version in a request is earlier than 1.2, all operations cannot be performed on the specified keys.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "kms:*",
"Resource": "acs:kms:*:*:key/key-hzz653f1f8fybn5qa****",
"Condition": {
"NumericLessThan": {
"kms:TlsVersion": [
"1.2"
]
}
}
}
]
}
Appendix 1: Conditional operator categories
Conditional operators can be classified into the following categories: string, number, date and time, Boolean, and IP address.
Category | Conditional operator |
String |
|
Number |
|
Date and time |
|
Boolean | Bool |
IP address |
|